So i figured I’d ask what some of you IT Guys or computer literate people do for virus removal. What programs you use, how effective they are etc.
Myself:
I remove viruses manualy, I boot to a WinPE disc, remove the virus by hand no programs etc.
First I tool thru the various places in the system folders that they like to hide, viruses 99% of the time are extremely easy to spot if you know what to look for.
After I delete the infected files themselves, I go into a Registry program and delete any registry keys associated with them.
Doing this manualy takes me all of ~20 minutes to remove a virus completely by hand, and 99% of the time I can get rid of the infection without even touching another program.
As good measure thou after I reboot normaly, I will open Malwarebytes and do a full scan, generaly nothing more than a few Registry keys ive missed come up, but every now and then I will have missed a DLL or EXE file that I was unsure of and renamed to .old
I do virus removal quite often, and honestly you cant beat doing it manualy once you know whats good, whats bad and what to look for. 10x better and faster than any virus scanner, although they should still be run as things can get overlooked.
So any other of you guys do things manualy? if not what programs do you have the best luck with, best detection rates weather its paid or free.
Check task manager for anything funky. Usually there will be something there.
Search for said something. Usually it’s in C:\Windows\System32
Delete said something manually. This sometimes requires end tasking that process and then immediately deleting the file before it can relaunch (I’m sure you’ve seen some of those)
Go through Program Files, Add/Remove Programs for files/folders that shouldn’t be there
Run MsConfig, SpyBot, CCleaner, and ComboFix for safety
Give back to user
Our websense proxy detects a lot of spyware (if it’s trying to communicate with the outside world), so that helps a lot in knowing if a PC is cleaned or not.
Start using a bootable WinPE disc or something of the sort, if you know what kind of files to look for or the signs, makes it 10x faster… not to mention you dont have to deal with ending a task or unlocking a file, and if your unsure of a file you can just rename it to .old
Windows
Windows/system32
windows/system32/Drivers
windows/system32/Drivers/ETC
Program Files
“username”/Local Settings (always delete the Temp and Temp internet Files folder)
“username”/Application Data
HAH yes i used forward slashes, im to lazy to change it
theres a few more i cant think of off the top of my head at the moment
Sort by date modified, usualy a virus will be extrememly recent, and generaly you can pick out very quickly whats not legit.
Then use a program liek Reg Editor PE to go thru the registry to delete any reg entries associated with them, along with making sure under Winlogon everythings legit…
My fav one so far is WinLogon32.exe being called to launch under the userinit registry key, when your emove the virus it goes into a log on/log off loop as its supposed to be pointing towards userinit.exe
As Far as combo fix goes, its helped me alot, bu doing massive ammounts of virus removals, ive realized its extremely ineffective against a lot of things, breaks a lot of files… and can cause some serious system file issues depending on the serverity of infection.
Anyways, learn to manualy remove shit, will make your job 10x easier and allow you to turn around a machine in less than an hour instead of waiting 1-2 for scans to complete and it possibly not fixing the problem or causing other issues.
I can reemove the viruses in a machine in 20 mins sometimes less depending on servierity, and 99% of the time I could just leave the machine after that and it would probably be 100% fine, but I do like to do a spybot or malware scan when im done to clean up any registry files or small files I may have missed, which sometimes happens haha
Very rarely do I come across a virus that completely does something so out of hand that I need a program to get rid of it, and those fucking suck, but you always learn something… its amazing how tricky these fuckers have gotten
Well I’m kind of handcuffed in a way. I need to provide logs to Security for every infected machines. That’s why I have to use programs for the most part.
I’m usually not pressed for time and people expect the worst. My usual build/rebuild/cleanup is about an hour or slightly less. People expect a couple hours. So it’s a win win in most cases.
Only thing I hate is working with machines from other geographical areas.
First, it depends on the the type and severity of the virus. If it is something simple, I manually uninstall it. If it is complex but not going to destroy the system, I will back up the data and run ComboFix. ComboFix is perfectly safe if you know what you are doing.
If the system is gone beyond saving, (attached to system files that will be destroyed upon removal) I will salvage the users files, format, and reinstall the OS/Files.
+1 I dick with an infected machine for 40 minutes… after that I quite, backup and reinstall.
If the shit just started or you know when it first began running like crap or started having issues, I put the view on DETAILS and filter by date modified, anything that sticks out or looks out of place is prolly the virus.
I run a security suite prior to Virus removal call IO Bit Security. Installs very fast and deep scans your system. It will tell you the names and how many variations of the virus are on your system. Whether its a hijacker, vundo, etc.
I’ve found combofix misses a lot of shit, but as far as “system being beyond saving” even if they are attatched to system files, its easy enough to replace them, depending on what the file is. But yes there are times where you just need to backup and start fresh.
As ILYA said, some are a bunch of random number likes 1234454.exe , some are just odd looking names like wasd23.exe/.dll/.sys etc…
Basicly if you know around the time the machine was infected you can sort by date modified as krazykid said, look at the publisher as for the most part 90% of legit files will have the publisher name attatched. If you arte ever unsure just google it, or rename it to .old … restart the system and see if anythings broken
This, but if your unsure just alway rename to .old and if it breaks the system or a program just go back and fix it.
By the time youve installed that and ran a full scan, i bet you could have had the virus almost completely gone and the machine uninfected in a 1/4 of the time. The only thing you really tend to miss is a few registry keys, but for the most part as long as you deleted any files their trying to call to it wont matter, just run a scan using something small and fast to find them… I’ve found that CCLeaner will acctualy kill registry keys left by viruses
Im not saying I dont agree with you, but why run the scan prior and have it take more time as its finding things rather than just delete everything you can find and run a scan that will presumably be much faster
Unless you need log files in which case I guess thats a different story
I haven’t had to do this in quite awhile, since I don’t do this stuff really anymore, but I usually used my hard drive to USB converter and scanned the drive with AVG, then used spybot or adaware to check the disk again.
I would then put drive back in, scan it with spybot, adaware, crap cleaner, run any windows security updates, check for antivirus, check disk, and then defrag.
I could care less about the business world. I agree that it doesn’t have as much potential as windows, but all I need it to do is work correctly, I’m not into video or picture editing or music producing or hacking or anything like that.
Too each his own. I can’t justify the price of those things though. That’s my personal - against it/them. I can build a machine (desktop or laptop) way more powerful for that price.